Zertifikat: Unterschied zwischen den Versionen

Aus Info-Theke
Zur Navigation springen Zur Suche springen
 
(23 dazwischenliegende Versionen desselben Benutzers werden nicht angezeigt)
Zeile 1: Zeile 1:
[[Kategorie:ServerApplikation]]
[[Kategorie:ServerApplikation]] [[Kategorie:Sicherheit]]


== Erstellen ==
== Dateitypen ==
<pre>
* Encodings (also used as extensions)
openssl req -new -x509 -newkey rsa:2048 -keyout nginx.key -out nginx.pem -days 3650
** .DER = The DER extension is used for binary DER encoded certificates. These files may also bear the CER or the CRT extension.
</pre>
** .PEM = The PEM extension is used for different types of X.509v3 files which contain ASCII (Base64) armored data prefixed with a “—– BEGIN …” line.
 
* Extensions:
== Mit Signierung ==
** .CRT = The CRT extension is used for certificates. The certificates may be encoded as binary DER or as ASCII PEM. The CER and CRT extensions are nearly synonymous.  Most common among *nix systems
 
** .CER = alternate form of .crt (Microsoft Convention) You can use MS to convert .crt to .cer (.both DER encoded .cer, or base64[PEM] encoded .cer)  The .cer file extension is also recognized by IE as a command to run a MS cryptoAPI command (specifically rundll32.exe cryptext.dll,CryptExtOpenCER) which displays a dialogue for importing and/or viewing certificate contents.
<pre>
** KEY = The KEY extension is used both for public and private PKCS#8 keys. The keys may be encoded as binary DER or as ASCII PEM.
FN_CA=dockerCA
FN_CERT=hamatoma.de
cd /etc/ssl
test -d ca || mkdir ca
cd ca
openssl genrsa -out $FN_CA.key 2048


openssl req -x509 -new -nodes -key $FN_CA.key -days 3650 -out $FN_CA.crt
== Wildcard-Zertifikat ==
<pre>ROOT_CA=rootCA
VALID_DAYS=1000
CERT=vmd9593
# Schlüssel generieren, kein Passwort:
openssl genrsa -out $CERT.key 2048


openssl genrsa -out $FN_CERT.key 2048
# Zertifikatsanfrage generieren: CN (Common Name) evt. IP-Adresse
# kein Passwort vergeben!
# Bei CN (Common Name) eintragen: "*.f-r-e-i.de"
openssl req -new -key $FN_CERT.key -out $FN_CERT.csr
openssl req -new -key $CERT.key -out $CERT.csr -sha512 -config ./openssl.cnf
 
echo "subjectAltName = IP:212.144.248.3" > extfile.cnf
openssl x509 -req -in $FN_CERT.csr -CA $FN_CA.crt -CAkey $FN_CA.key -CAcreateserial -out $FN_CERT.crt -days 3650 -extfile extfile.cnf
 
cp $FN_CERT.crt ../certs
cp $FN_CERT.key ../private
 
</pre>


== Passwort entfernen ==
# Signieren:
<pre>
openssl x509 -req -days $VALID_DAYS -in $CERT.csr -signkey ${ROOT_CA}.key -out $CERT.pem
openssl rsa -in nginx.key -out nginx.key
</pre>
</pre>
* Es wird einmal das Passwort abgefragt

Aktuelle Version vom 23. September 2015, 11:55 Uhr


Dateitypen[Bearbeiten]

  • Encodings (also used as extensions)
    • .DER = The DER extension is used for binary DER encoded certificates. These files may also bear the CER or the CRT extension.
    • .PEM = The PEM extension is used for different types of X.509v3 files which contain ASCII (Base64) armored data prefixed with a “—– BEGIN …” line.
  • Extensions:
    • .CRT = The CRT extension is used for certificates. The certificates may be encoded as binary DER or as ASCII PEM. The CER and CRT extensions are nearly synonymous. Most common among *nix systems
    • .CER = alternate form of .crt (Microsoft Convention) You can use MS to convert .crt to .cer (.both DER encoded .cer, or base64[PEM] encoded .cer) The .cer file extension is also recognized by IE as a command to run a MS cryptoAPI command (specifically rundll32.exe cryptext.dll,CryptExtOpenCER) which displays a dialogue for importing and/or viewing certificate contents.
    • KEY = The KEY extension is used both for public and private PKCS#8 keys. The keys may be encoded as binary DER or as ASCII PEM.

Wildcard-Zertifikat[Bearbeiten]

ROOT_CA=rootCA
VALID_DAYS=1000
CERT=vmd9593
# Schlüssel generieren, kein Passwort:
openssl genrsa -out $CERT.key 2048

# Zertifikatsanfrage generieren: CN (Common Name) evt. IP-Adresse
# Bei CN (Common Name) eintragen: "*.f-r-e-i.de"
openssl req -new -key $CERT.key -out $CERT.csr -sha512 -config ./openssl.cnf

# Signieren:
openssl x509 -req -days $VALID_DAYS -in $CERT.csr -signkey ${ROOT_CA}.key -out $CERT.pem